Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Verify Apple Pay domain for S3 static website via CloudFront

0

I have an S3 static website being served via CloudFront which works (mostly) fine. We have a wildcard certificate for our domain (i.e. *.example.com) setup in ACM. However, we are changing payment provider and need to register the domain for Apple Pay with our new provider. When trying to register, the provider either receives an Unauthorized response for the www.example.com version of our domain, or a 302 for the example.com version of our domain. The new provider have said that when we try to register using the example.com version of our domain, it is getting redirected to the http route for the file rather than using https which is what Apple requires.

I have tried setting up a redirect rule in the static website hosting bucket redirection rules, but it did not make any significant difference. I have also tried to add a rule to our CloudFront distribution for the /.well-known/* path to only use HTTPS, but this also has not fixed the issue.

Topics
ComputeStorageNetworking & Content Delivery
Tags
Amazon CloudFrontWebsite ProvisioningAmazon Simple Storage Service
Language
English
asked 5 days ago26 views
2 Answers
0

To complete Apple Pay domain verification, the Apple Pay domain verification file must be hosted precisely at https:///.well-known/apple-developer-merchantid-domain-association. Apple requirements stipulate that the file be served over HTTPS without any redirects. In this scenario, the CloudFront distribution should be configured to deliver the file directly from the S3 bucket, rather than through the S3 static website hosting endpoint, which only supports HTTP and introduces redirects that prevent successful verification.

https://developer.apple.com/documentation/applepaywebmerchantregistrationapi/preparing-merchant-domains-for-verification

EXPERT
answered 5 days ago
0

Hey,

Hope you're keeping well.

Apple Pay will only verify if the file is served exactly at https://<your-domain>/.well-known/apple-developer-merchantid-domain-association with no redirects and using HTTPS. If you’re using S3 static website hosting, that endpoint only supports HTTP and will cause the redirect issue you’re seeing. Configure CloudFront to fetch the file from the S3 bucket’s REST API endpoint (not the website endpoint), place the verification file in the bucket with public read, and create a CloudFront behavior for /.well-known/* that enforces HTTPS and points directly to that origin. This ensures the file is delivered over TLS with no protocol or path changes so Apple Pay can validate successfully.

Thanks and regards,
Taz

answered 2 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content